cbcvebase.
CVE-2022-25216
published 2022-03-11

CVE-2022-25216: An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.84%
96.1th percentile
An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://:32080/download/.

Affected

3 ranges
VendorProductVersion rangeFixed in
dvdfab12_player6.2.10 – 6.2.11
dvdfabplayerfab7.0.0.0 – 7.0.0.5
dvdfab_12_playerplayerfab

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>:32080/download/
port32080
path/download/C%3a%2fwindows%2fsystem.ini
  • Detect exploitation attempts by monitoring HTTP GET requests to the /download/ endpoint on port 32080, particularly those containing path traversal patterns (e.g., URL-encoded drive letters like C%3a or C:) targeting Windows file system paths.
  • A successful exploitation of CVE-2022-25216 against the Windows system.ini file will return a 200 HTTP response with body content containing the strings 'bit app support', 'fonts', and 'extensions' simultaneously.
  • Flag HTTP GET requests to /download/ on port 32080 that include URL-encoded Windows absolute paths (e.g., %3a for colon, %2f for backslash/forward-slash) as indicators of path traversal exploitation attempts.
  • ·The vulnerability affects DVDFab 12 Player (recently renamed PlayerFab); the accessible files are limited to those readable by the Windows user account running the DVDFab/PlayerFab process, so privilege level of the service account affects the blast radius.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.